Operation and Maintenance
Safety
How Codeql analyzes the problem of cookie not enabling httponly
How Codeql analyzes the problem of cookie not enabling httponly
Preface
Today we use codeql to analyze security issues such as "cookie is not enabled httponly", thereby deepening our use of codeql. If it works well, you can consider fixing other vulnerabilities in Vulnerability-goapp.
You must additionally download codeql-go when analyzing go programs
Instructions
Audit objects
Vulnerability-goapp: Vulnerable golang Web application for education.
Modification
Since all cookies in this project do not have the http-only attribute set, we need to modify them first before comparison. The following is a rewrite of the original sentence: Record modification: Add http-only option to some cookie settings.
pkg\admin\admin.go is modified as follows. 
pkg\login\login.go is modified as follows. 
pkg\register\register.go is modified as follows. 
Remember to regenerate the database after modification (if you need to overwrite the old DATabase, you need to delete the old one first and then generate a new one.
Purpose
It is to use the codeql script to find the loopholes in which httponly is not set and httponly is set but the value of httponly is false (usually this is not the case, but it is not guaranteed).
Determine the Source and Sink
Sink definition
Sink is very simple. When setting Cookie, you need to use the http.SetCookie method, and the Cookie value that needs to be set is the second parameter of this function, and then we can write Find the query statement of Sink like this.
import go
from DataFlow::Node sink
where exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("net/http", "SetCookie") and c.getArgument(1) = sink
)
select sinkAfter running, you can get the following results. Click on any item to jump to the code segment of the compound requirement.
We will It is converted into a Sink class, as follows.
private class Sink extends DataFlow::Node {
Sink() {
exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("net/http", "SetCookie") and c.getArgument(1) = this
)
}
}In this way, if we define a variable as Sink, it refers to all code fragments that meet the conditions, for example:
import go
private class Sink extends DataFlow::Node {
Sink() {
exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("net/http", "SetCookie") and c.getArgument(1) = this
)
}
}
from Sink s
select sAfter running, we will get The same result.
Source definition
Then let’s determine the Source. Judging from the parameters received by the http.SetCookie method, the actual second parameter is a pointer to the structure that receives a Cookie. 
So we first need to find such a structure. We can first list all the structures in the project.
About the structure in codeql-go The definition of the body is as follows. 
So our query script for example.
import go from StructLit source select source
also lists all the structures as we expected.
Then the next step is to eliminate other irrelevant content and restrict the type.
Regarding the hasQualifiedName method, various types in various Codeql-go have the same method. The definition is as follows. The marked object belongs to which package and what is its name. 
If you are not sure, you can print the relevant fields through getPackage and getName, for example.
import go
from StructLit source
// where source.getType().hasQualifiedName("net/http", "Cookie")
select source.getType().getPackage(), source.getType().getName()The results are as follows. 
We can find the source definition, for example.
import go
from StructLit source
where source.getType().hasQualifiedName("net/http", "Cookie")
select source
It is also converted into a subclass of DataFlow::Node.
private class Source extends DataFlow::Node {
Source() {
exists(StructLit s | s.getType().hasQualifiedName("net/http", "Cookie") and this.asExpr() = s)
}
}TaintConfig definition
Simple data flow
With Source and Sink, simply define TaintConfig to get all the data flow from Source to Sink.
import go
private class Source extends DataFlow::Node {
Source() {
exists(StructLit s | s.getType().hasQualifiedName("net/http", "Cookie") and this.asExpr() = s)
}
}
private class Sink extends DataFlow::Node {
Sink() {
exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("net/http", "SetCookie") and c.getArgument(1) = this
)
}
}
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "HttpOnly" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select source, sinkThe results are as follows: 
Elimination
However, we still have not removed the part where httponly=true is set. Therefore, it is necessary to add limiting conditions, that is, data streams with the HttpOnly attribute set to true are excluded from the results.
We can use TaintTracking::isSanitizer provided by CodeQL to filter harmless nodes:
override predicate isSanitizer(DataFlow::Node node) {
exists(Write w, Field f, DataFlow::Node rhs |
f.hasQualifiedName("net/http", "Cookie", "HttpOnly") and
w.writesField(node, f, rhs) and
rhs.getBoolValue() = true
)
}运行结果如下,但有一处地方需要注意。
红框中实际有对HttpOnly进行设置,但我们的脚本并不能识别这样的一个数据流。后面试了各种方法,最终找到一种解决方式,将isSanitizer修改成以下内容。
override predicate isSanitizer(DataFlow::Node node) {
exists(Write w, Field f, DataFlow::Node n, DataFlow::Node rhs |
f.hasQualifiedName("net/http", "Cookie", "HttpOnly") and
w.writesField(n, f, rhs) and
rhs.getBoolValue() = true and
node = n.getAPredecessor*()n
)
}其中node=n.getAPredecessor*()是说node是n的前置数据流节点,数据可以在0个或多个步骤中从node流到n。
最终脚本
加上一些信息,模仿官方的示例,最终脚本如下。
/**
* @name Cookie未设置httponly
* @description Cookies包含一个HTTPOnly的设置选项,可以使此cookie不能被js读取,而只能用于HTTP请求。
* @kind path-problem
* @problem.severity error
* @precision low
* @id go/Cookie-not-set-httponly
* @tags security
*/
import go
import DataFlow::PathGraph
private class Source extends DataFlow::Node {
Source() {
exists(StructLit s | s.getType().hasQualifiedName("net/http", "Cookie") and this.asExpr() = s)
}
}
private class Sink extends DataFlow::Node {
Sink() {
exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("net/http", "SetCookie") and c.getArgument(1) = this
)
}
}
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "HttpOnly" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) {
exists(Write w, Field f, DataFlow::Node n, DataFlow::Node rhs |
f.hasQualifiedName("net/http", "Cookie", "HttpOnly") and
w.writesField(n, f, rhs) and
rhs.getBoolValue() = true and
node = n.getAPredecessor*()
)
}
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cookie-not-set-httponly in $@.", source.getNode(), "here"最终筛选出存在问题的内容。
The above is the detailed content of How Codeql analyzes the problem of cookie not enabling httponly. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
How to Fix Roblox 403 Forbidden Error on Google Chrome
May 19, 2023 pm 01:49 PM
Many Windows users have recently encountered an unusual error called Roblox403 Forbidden Error while trying to access website URLs in Google Chrome browser. Even after restarting the Chrome app multiple times, they were unable to do anything. There could be several potential causes for this error, some of which we've outlined and listed below. Browsing history and other cache of Chrome and corrupted data Unstable internet connection Incorrect website URLs Extensions installed from third-party sources After considering all the above aspects, we have come up with some fixes that can help users resolve this issue. If you encounter the same problem, check out the solutions in this article. Fix 1
Where are the cookies on your computer?
Dec 22, 2023 pm 03:46 PM
Cookies on your computer are stored in specific locations on your browser, depending on the browser and operating system used: 1. Google Chrome, stored in C:\Users\YourUsername\AppData\Local\Google\Chrome\User Data\Default \Cookies etc.
Where are cookies stored?
Dec 20, 2023 pm 03:07 PM
Cookies are usually stored in the cookie folder of the browser. Cookie files in the browser are usually stored in binary or SQLite format. If you open the cookie file directly, you may see some garbled or unreadable content, so it is best to use Use the cookie management interface provided by your browser to view and manage cookies.
Where are the mobile cookies?
Dec 22, 2023 pm 03:40 PM
Cookies on the mobile phone are stored in the browser application of the mobile device: 1. On iOS devices, Cookies are stored in Settings -> Safari -> Advanced -> Website Data of the Safari browser; 2. On Android devices, Cookies Stored in Settings -> Site settings -> Cookies of Chrome browser, etc.
How cookies work
Sep 20, 2023 pm 05:57 PM
The working principle of cookies involves the server sending cookies, the browser storing cookies, and the browser processing and storing cookies. Detailed introduction: 1. The server sends a cookie, and the server sends an HTTP response header containing the cookie to the browser. This cookie contains some information, such as the user's identity authentication, preferences, or shopping cart contents. After the browser receives this cookie, it will be stored on the user's computer; 2. The browser stores cookies, etc.
Detailed explanation of where browser cookies are stored
Jan 19, 2024 am 09:15 AM
With the popularity of the Internet, we use browsers to surf the Internet have become a way of life. In the daily use of browsers, we often encounter situations where we need to enter account passwords, such as online shopping, social networking, emails, etc. This information needs to be recorded by the browser so that it does not need to be entered again the next time you visit. This is when cookies come in handy. What are cookies? Cookie refers to a small data file sent by the server to the user's browser and stored locally. It contains user behavior of some websites.
Does clearing cookies have any impact?
Sep 20, 2023 pm 06:01 PM
The effects of clearing cookies include resetting personalization settings and preferences, affecting ad experience, and destroying login status and password remembering functions. Detailed introduction: 1. Reset personalized settings and preferences. If cookies are cleared, the shopping cart will be reset to empty and products need to be re-added. Clearing cookies will also cause the login status on social media platforms to be lost, requiring re-adding. Enter your username and password; 2. It affects the advertising experience. If cookies are cleared, the website will not be able to understand our interests and preferences, and will display irrelevant ads, etc.
What are the dangers of cookie leakage?
Sep 20, 2023 pm 05:53 PM
The dangers of cookie leakage include theft of personal identity information, tracking of personal online behavior, and account theft. Detailed introduction: 1. Personal identity information is stolen, such as name, email address, phone number, etc. This information may be used by criminals to carry out identity theft, fraud and other illegal activities; 2. Personal online behavior is tracked and analyzed through cookies With the data in the account, criminals can learn about the user's browsing history, shopping preferences, hobbies, etc.; 3. The account is stolen, bypassing login verification, directly accessing the user's account, etc.
